Ask the Founders: Breaking Down the atPlatform

In the dark, man inspects a sparkler in his hand
Photo by Matt Palmer on Unsplash

P: If you become the Google of identity, every hacker and his dog is going to want to crack you. How do you plan to prevent this and are your systems 3rd party audited?

K & C: We do not want to be the Google of identity. We want each person to be able to own and control access to their own data. The first principle for us is:

P: What happens when I have shared data and my friend is offline but e.g. needs my contact details?

K & C: The reason for having cloud microservices is to provide a point of presence that can be reliably accessed over the Internet. This ensures that data that has been shared can be accessed by others even if they are offline.

P: How do you manage the user life cycle? E.g. losing devices, logging on across devices.

K & C: We have a reasonable onboarding process at the moment that involves first connecting the mobile device with the cloud microservice using a shared symmetric key and then generating two asymmetric key pairs on the mobile device (one for access to the atSign owner’s secondary server and another for encrypting data shared with others). We first use the shared symmetric key to pair with the cloud microservice; once this is done, the symmetric key is deleted from the cloud microservice. The keys are stored in the device’s secure enclave, and a backup key is generated that needs to be stored in a memorable place for restoration and pairing with other applications and devices.

P: What’s to prevent a malicious app from screwing with the data produced through my app? E.g. an admin user has access to sensitive information from a company @name, but then installs a malicious app.

K & C: Our strategy for preventing a malicious app from screwing with data at the moment is to review and certify applications to eliminate such behavior. We also have an ambition to automate the process as much as we can. We are currently evaluating how to control app level access (read and write) to data using a namespace convention, which is already a part of the atProtocol spec and reference implementation.

P: What happens if I don’t renew my atSign? Does my data disappear from view across all apps?

K & C: That would be terrible! We do back up your data as part of the cloud microservice services so that in any event, data can be restored (remember, it is impossible for us to access your private data, so the backups are safe and only you can restore the data and make it useful).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store